M365: Crate to facilitate compromised account investigation
in progress
M
Multiple Cod
Pulling logs from O365, identifying and rectifying malicious mail flow rules. Grabbing forensic data from cloud & end-user devices
Log In
R
Respective Stoat
Would be nice to have the Workflow rules log the rule that was removed and also check (but not delete) other suspicious rules like moving emails to the RSS feed folder
S
Sudden Turtle
This also needs to revoke all active MFA tokens and force MFA re-registration. Latest account hijacks are also stealing MFA tokens from browsers and then inserting new MFA methods upon compromise.
G
Global Rhinoceros
would love for this to work natively with Huntress integrations as well...
C
Chartreuse Gopher
in progress
MVP is being scoped and planned for this automation.
C
Chartreuse Gopher
Merged in a post:
M365 - Email Compromise Response
P
Peach puff Hoverfly
Reset of Password
End all Sessions
Block Sign In
Pull report on Sign In Activities
Complete a Mail Recall
Pull a mailflow report to see what recipients were emailed during a specific timeframe
send out email to those recipients to ignore / delete mail that was sent
remove a ll mail rules that forward to an external domain
C
Continued Lungfish
HAWK tool could be used for this: https://cloudforensicator.com/documentation
CIPP does something similar, but I would love to be able to associate the investigation and results to a ticket in PSA.
Example:
PoC reports potential incident > Tech runs flow from pod (or form) > HAWK tool gathers all related info and dumps into internal notes for tech review.
Might even be possible to include some conditions that are especially indicative of compromise and drop a "Remediate Now" webhook link.
Y
Yellow green Flamingo
Especially Azure AD logons